Privacy Policy
Information pursuant to Art. 13 and Art. 14 of the General Data Protection Regulation (GDPR)
This is an informal translation. The German version is legally binding.
1. Data Controller
The data controller responsible for processing personal data on this website within the meaning of the GDPR is:
moirée – registered nonprofit association (gemeinnütziger Verein)
Schmiedgasse 36
8010 Graz, Austria
Email: info@moiree.eu
Phone: +49 157 38195706
2. Purpose of Data Processing
Collection of anonymised accounts of experience for a public database documenting professional discrimination in the creative industries (Germany, Austria, Switzerland).
Submissions received via the submission form are published in a publicly accessible database following editorial review and anonymisation. The aim is to make invisible patterns of professional disadvantage visible and citable.
Membership data (declaration of membership)
If you submit a declaration of membership via the form on the “Contribute” page, we process the personal data you provide there (name, date of birth, address, email address, phone number, profession and, where applicable, organisation details) solely for the purpose of membership administration and to fulfil legal and statutory obligations.
The legal basis is Art. 6(1)(b) GDPR (establishing and performing the membership) and Art. 6(1)(c) GDPR (legal obligations). The completed declaration is transmitted to the board and stored for the duration of the membership and for the statutory retention periods (in particular seven years under § 132 BAO). For sending emails we use Resend Inc. (EU region) as a processor.
Optional listing in a public membership list and the newsletter subscription occur only with your explicit consent (Art. 6(1)(a) GDPR), which you may withdraw at any time with future effect.
3. Legal Basis
The processing of your data is carried out on the following legal bases:
- Art. 6(1)(a) GDPR (consent) — You give your consent to the processing by submitting the submission form and activating the consent declaration.
- Art. 9(2)(a) GDPR (explicit consent for special categories of personal data) — As submissions may contain special categories of personal data (see Section 4), explicit consent is required. This is obtained via the consent declaration in the submission form.
4. Special Categories of Personal Data (Art. 9 GDPR)
Accounts of experience submitted via the submission form may contain special categories of personal data within the meaning of Art. 9(1) GDPR. This applies in particular to:
- Information about experienced discrimination on the basis of gender
- Information about harassment, including sexual harassment
- Information about ethnic origin, where mentioned in the account
- Information about health status, in particular psychological effects
- Information about sexual orientation, where relevant in the context of the experience
These data are processed exclusively on the basis of your explicit consent (Art. 9(2)(a) GDPR). Publication takes place only after editorial review and complete anonymisation.
5. Recipients and Data Processors
For sending transactional emails (contact form confirmations, newsletter sign-ups), we use the service Resend Inc. as our email service provider and data processor. Email is processed in Resend's EU region (Ireland).
Recipient data is processed within the EU (Ireland); no transfer to a third country (e.g. the USA) takes place.
Further information on data protection at Resend can be found in their privacy policy: https://resend.com/legal/privacy-policy
All form data (submissions, contact requests, newsletter sign-ups) are processed and stored on EU servers (Railway, Netherlands). Any transfer to further recipients is limited to the data processors named below.
Submitted accounts of experience are automatically checked for personal data prior to AI pre-screening. Texts in which names are detected are handled exclusively by human moderators and are not transmitted to external AI services. Texts without detected names are transmitted to Anthropic for content pre-screening and machine translation (see the following paragraph).
For AI-assisted content pre-screening and machine translation, we use Anthropic PBC (USA) as a data processor. This may involve a transfer of personal data to the USA. The legal basis for the transfer is the EU Commission's Standard Contractual Clauses together with your explicit consent (Art. 49(1)(a) GDPR). Under Anthropic's terms, content submitted via the programming interface (API) is not used to train AI models.
To detect and fix technical errors, we use the service Sentry. Technical data such as IP address, browser type and the requested URL may be processed. Error reports are stripped of personal content before transmission.
6. Retention Period
Raw data (accounts of experience submitted via the submission form that have not yet been anonymised) are deleted after editorial review and anonymisation, and at the latest after 90 days.
The anonymised data published in the public database are stored indefinitely. As these data are anonymised within the meaning of Recital 26 GDPR, they are no longer subject to the GDPR.
7. Anonymisation
Every submission undergoes editorial review prior to publication. In the course of this review, the following steps are taken:
- Names, companies, locations and other direct identifiers are removed or generalised
- Specific details that could enable identification are abstracted
- Quasi-identifiers (e.g. years, job titles) are generalised to a level that prevents attribution to individuals
Upon completion of anonymisation, the published data no longer constitute personal data within the meaning of Recital 26 GDPR. Re-identification of the submitting person is no longer possible with reasonable effort.
Our moderation guidelines are informed by established standards for qualitative data anonymisation (UK Data Service) and by the principles of k-anonymity.
Automated decisions (Art. 22 GDPR): No automated decisions with legal effect are made. AI pre-screening serves exclusively as decision support for human moderators. Every publication requires manual review and approval.
8. Withdrawal and Deletion
As we do not collect personal data, we are unable to attribute individual submissions to specific persons once they have been submitted. Withdrawal of consent or deletion of individual entries is therefore not possible after publication.
Prior to publication — that is, during the editorial review phase (up to 90 days) — you may request the deletion of your submission. As submissions are anonymous, you will need to provide the approximate time and content of your submission so that we can identify it.
Please note: the submission form does not collect an email address, name, or any other personal contact data. This deliberate design decision protects your anonymity, but also means that we are unable to attribute or remove individual submissions after publication.
9. Rights of Data Subjects
You have the following rights under the GDPR with regard to your personal data:
- Right of access (Art. 15 GDPR) — You have the right to request information about the personal data we process concerning you.
- Right to rectification (Art. 16 GDPR) — You have the right to request the rectification of inaccurate data.
- Right to erasure (Art. 17 GDPR) — You have the right to request the erasure of your data, provided the conditions of Art. 17 GDPR are met.
- Right to restriction of processing (Art. 18 GDPR) — You have the right to request the restriction of the processing of your data.
- Right to data portability (Art. 20 GDPR) — You have the right to receive your data in a structured, commonly used and machine-readable format.
- Right to object (Art. 21 GDPR) — You have the right to object to the processing of your data.
Important note: As the submission form does not collect personal identification data and the published data are fully anonymised, the rights set out above can only be exercised to a limited extent in practice. We can only attribute a submission to a specific person if that person provides us with specific information about the content and timing of their submission.
Right to lodge a complaint: You have the right to lodge a complaint with the competent supervisory authority. For Austria, this is the Austrian Data Protection Authority (dsb.gv.at).
10. Hosting and Website Access
This website is hosted via Railway Inc. (340 S Lemon Ave #4133, Walnut CA 91789, USA). The servers are located in the EU (Amsterdam, Netherlands).
Cookies: This website does not set any tracking cookies, analytics cookies, or advertising cookies. No cookies are set for regular visitors. Exclusively for authenticated administrators, two technically necessary session cookies are set upon login:
- access_token — Authentication of the admin session, valid for 15 minutes
- refresh_token — Renewal of the admin session, valid for 7 days
Both cookies are httpOnly, Secure, and SameSite=Strict. They contain no personal data and serve exclusively for authentication purposes. Legal basis: Art. 6(1)(b) GDPR (performance of a contract / technically necessary). Consent is not required.
Analytics services: This website does not use any analytics services (no Google Analytics, no Matomo, no comparable tools). No usage statistics are collected.
Server logs: When this website is accessed, Railway automatically creates server log files that may contain technical access data (e.g. IP address, time of access, page accessed). These data are processed by Railway in accordance with their own privacy policy. We have no access to these server logs.
Fonts: All fonts used on this website (Playfair Display, Source Serif 4, IBM Plex Mono) are hosted locally (self-hosting via WOFF2 files). No external font services such as Google Fonts are used. No personal data is therefore transferred to third parties through the loading of fonts.
11. Newsletter
We offer a newsletter to which you can subscribe voluntarily. Newsletter management (sign-ups, unsubscribes, subscriber data) is handled in a self-hosted manner within our own PostgreSQL database on Railway (EU server, Netherlands).
For email delivery, we use the service Resend Inc. as our data processor. Only the email address and first name (for personalisation) of the recipient are transmitted to Resend. The data is processed in Resend's EU region (Ireland); no transfer to a third country takes place. Open and click tracking is disabled.
Data collected: Upon sign-up, your email address and, optionally, your first name are stored.
Double opt-in: Following sign-up, you will receive a confirmation email. You will only be added to the mailing list after clicking the confirmation link. This ensures that only you can sign up using your email address.
Legal basis: Art. 6(1)(a) GDPR (consent).
Unsubscribing: You can unsubscribe from the newsletter at any time. Every newsletter contains a one-click unsubscribe link. After unsubscribing, your email address is no longer used for sending; it remains on a suppression list so that we do not contact you again (this also applies to addresses that bounce or report spam). You can request complete deletion of your data at any time by emailing info@moiree.eu.
Further information on data protection at Resend: Privacy Policy | Data Processing Agreement (DPA)